Is auditing ftruncate useful?
Steve Grubb
sgrubb at redhat.com
Fri Mar 6 16:59:50 UTC 2020
On Monday, February 10, 2020 6:29:22 PM EST Casey Schaufler wrote:
> On 2/10/2020 3:05 PM, Orion Poplawski wrote:
> > On 2/10/20 3:54 PM, Paul Moore wrote:
> > So, this is all reasonable. But why do I get this with fchown which also
> > takes a file descriptor?
> > ...
> >
> > It's this disparity between fchown and ftruncate that caught my
> > attention.
>
> fchown changes the security state (mode bits) of the file,
> whereas ftruncate changes the content of the file. The former
> is clearly security relevant, the latter is not.
Well, security relevant or not, the requirement that the rule meets is
located here:
https://www.niap-ccevs.org/MMO/PP/-442-/#fau
File and object events (Successful and unsuccessful attempts to create,
access, delete, modify, modify permissions),
Since they separate modify and modify permissions, they clearly want changes
to content. Now, in the real world is that necessary? Maybe only in super
important scenarios where you have to know any change to anything.
-Steve
More information about the Linux-audit
mailing list